curl & libcurl-gnutls: fix BUILDLINK_API_DEPENDS.openssl
The assignment shouldn't be placed in Makefile.common for more than one
reason (openssl is a build option, it should be propagated to packages
that link against libcurl, and, though harmless, makes no sense being
applied to libcurl-gnutls).
Related to PR pkg/59899. Also likely related to:
https://mail-index.netbsd.org/tech-pkg/2026/01/16/msg031893.html
www/chromium: update to 144.0.7559.59
* 144.0.7559.59
This update includes 10 security fixes. Below, we highlight fixes that
were contributed by external researchers. Please see the Chrome Security
Page for more information.
[$8000][458914193] High CVE-2026-0899: Out of bounds memory access in V8.
Reported by @p1nky4745 on 2025-11-08
[TBD][465730465] High CVE-2026-0900: Inappropriate implementation in V8.
Reported by Google on 2025-12-03
[TBD][40057499] High CVE-2026-0901: Inappropriate implementation in Blink.
Reported by Irvan Kurniawan (sourc7) on 2021-10-04
[$4000][469143679] Medium CVE-2026-0902: Inappropriate implementation in V8.
Reported by 303f06e3 on 2025-12-16
[$3000][444803530] Medium CVE-2026-0903: Insufficient validation of untrusted
input in Downloads. Reported by Azur on 2025-09-13
[$1000][452209495] Medium CVE-2026-0904: Incorrect security UI in Digital
[11 lines not shown]
lang/php85: update to 8.5.2
8.5.2 (2026-01-15)
15 Jan 2026, PHP 8.5.2
- Core:
. Fix OSS-Fuzz #465488618 (Wrong assumptions when dumping function signature
with dynamic class const lookup default argument). (ilutov)
. Fixed bug GH-20695 (Assertion failure in normalize_value() when parsing
malformed INI input via parse_ini_string()). (ndossche)
. Fixed bug GH-20714 (Uncatchable exception thrown in generator). (ilutov)
. Fixed bug GH-20352 (UAF in php_output_handler_free via re-entrant
ob_start() during error deactivation). (ndossche)
. Fixed bug GH-20745 ("Casting out of range floats to int" applies to
strings). (Bob)
- DOM:
. Fixed bug GH-20722 (Null pointer dereference in DOM namespace node cloning
[51 lines not shown]
lang/ruby32-base: update to 3.2.10
3.2.10 (2026-01-14)
This release includes the following security fixes:
* CVE-2025-61594: URI Credential Leakage Bypass previous fixes | Ruby
* CVE-2025-58767: DoS vulnerability in REXML | Ruby
and the following fixes for some issues:
* Build issue of using Ruby 4.0 with BASERUBY at Windows platform
* Issue with OpenSSL 3.6.0
What's Changed
* Backport post_push.yml workflow to ruby_3_2 by k0kubun · Pull Request
#14771
* Backport fetch_changesets to ruby_3_2 by k0kubun · Pull Request #14774
[2 lines not shown]
py-last: updated to 7.0.2
7.0.2
Fixed
Fix user playcount for artists
Create httpx.Client with context manager to fix unclosed socket resource warning
Fix setting network for country.get_top_artists
Simplify xml.dom imports
